jss/SOURCES/0004-Remove-token-key-checks.patch

113 lines
4.6 KiB
Diff
Raw Normal View History

From a3a91a8e85d7f05de3c85b0ae6ad1c80cf7c5b55 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Tue, 17 Mar 2020 12:54:49 -0400
Subject: [PATCH 1/2] Remove token key checks
Previously we enforced strict token key matching: the primary key used
for the operation must strictly reside on the current PKCS#11 token,
otherwise JSS would bail. However, NSS has the ability to move the key
to whichever token best supports the given operation. This means that
we'd prematurely bail when the operation would succeed if it were
actually executed. By removing these checks, we still leave the ability
to generate keys on a specific token, we just allow them to be used on
whatever token supports the given operation (and the key is allowed to
be moved to).
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/pkcs11/PK11Cipher.java | 4 ----
org/mozilla/jss/pkcs11/PK11KeyWrapper.java | 22 -------------------
org/mozilla/jss/pkcs11/PK11MessageDigest.java | 7 ------
3 files changed, 33 deletions(-)
diff --git a/org/mozilla/jss/pkcs11/PK11Cipher.java b/org/mozilla/jss/pkcs11/PK11Cipher.java
index 81b600a4..aac411a4 100644
--- a/org/mozilla/jss/pkcs11/PK11Cipher.java
+++ b/org/mozilla/jss/pkcs11/PK11Cipher.java
@@ -262,10 +262,6 @@ public final class PK11Cipher extends org.mozilla.jss.crypto.Cipher {
if( key==null ) {
throw new InvalidKeyException("Key is null");
}
- if( ! key.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("Key does not reside on the "+
- "current token");
- }
if( ! (key instanceof PK11SymKey) ) {
throw new InvalidKeyException("Key is not a PKCS #11 key");
}
diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
index 28840a87..eee2984d 100644
--- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
+++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
@@ -168,10 +168,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
throw new InvalidKeyException("Key is null");
}
try {
- if( ! key.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("Key does not reside on the current token: key owning token="+
- key.getOwningToken().getName());
- }
if( ! (key instanceof PK11SymKey) ) {
throw new InvalidKeyException("Key is not a PKCS #11 key");
}
@@ -196,10 +192,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
if( key==null ) {
throw new InvalidKeyException("Key is null");
}
- if( ! key.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("Key does not reside on the "+
- "current token");
- }
if( ! (key instanceof PK11PrivKey) ) {
throw new InvalidKeyException("Key is not a PKCS #11 key");
}
@@ -299,13 +291,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
throw new InvalidKeyException("key to be wrapped is not a "+
"PKCS #11 key");
}
-/* NSS is capable of moving keys appropriately,
- so this call is prematurely bailing
- if( ! symKey.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("key to be wrapped does not live"+
- " on the same token as the wrapping key");
- }
-*/
}
/**
@@ -320,13 +305,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
throw new InvalidKeyException("key to be wrapped is not a "+
"PKCS #11 key");
}
-/* NSS is capable of moving keys appropriately,
- so this call is prematurely bailing
- if( ! privKey.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("key to be wrapped does not live"+
- " on the same token as the wrapping key");
- }
-*/
}
/**
diff --git a/org/mozilla/jss/pkcs11/PK11MessageDigest.java b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
index cd732788..7a1a6dad 100644
--- a/org/mozilla/jss/pkcs11/PK11MessageDigest.java
+++ b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
@@ -47,13 +47,6 @@ public final class PK11MessageDigest extends JSSMessageDigest {
}
hmacKey = (PK11SymKey) key;
-
- if( ! key.getOwningToken().equals(token) ) {
- hmacKey = null;
- throw new InvalidKeyException(
- "HMAC key does not live on the same token as this digest");
- }
-
this.digestProxy = initHMAC(token, alg, hmacKey);
}
--
2.25.1